Outlook: Internet Security Warning

When I start Outlook, I get an “Internet Security Warning” dialog box with the message;

The server you are connected to is using a security certificate that cannot be verified.
The target principal name is incorrect.

I clicked on “View Certificate” and installed the certificate, but I still get this dialog each time I start Outlook.

Clicking “Yes” each time allows me to use Outlook as normal but how can get rid of this dialog?

Usually you get this error when you are using a shared hosting account with your own domain and connect via SSL. Another common cause is that your ISP has changed the name of their mail server and is redirecting you from the old server name to the new one and the name of the old server isn’t on their new SSL certificate.

Looking at the certificate usually provides the answer.

Name on the certificate should match the name of the mail server

The solution is quite simple; click on the “View Certificate…” button and look at the “Issued to” name. This is usually the name that you’ll need to specify for your incoming and/or outgoing server in your account configuration.

In some cases, this still won’t work when the certificate holds multiple names. You can then select the “Details” tab and see if the certificate holds a field called “Subject Alternative Name”. If so, then you’ll find other names that you could try behind the “DNS Name=” value.

If none of those names work either, contact your ISP and ask for the correct name of the mail server that you should use. Another (less secure) alternative would be to disable the use of SSL for your mail account.

No need to install the certificate

As long as the name on the certificate doesn’t match the name specified in your account settings, you’ll get this warning message. Installing the certificate will not help in any way and isn’t needed either.

The only case in which installing the certificate is needed, is when the names do match and the certificate isn’t issued (trusted) by a Certificate Authority. These are so called “Self-Signed Certificates”. In that case, only install the certificate if you trust the domain that is specified on the certificate and if the administrator responsible for that domain has instructed you to do so.

Background information

Many shared hosting solutions or ISPs are now offering secure access to your mailbox via Secure Sockets Layer (SSL). In order to make an SSL connection, a security certificate is required on the mail server. The name on this certificate should match the name that you use to connect to this server. For instance; mail.yourdomain.com

With shared hosting solutions, your mailbox is hosted on a mail server which also hosts mailboxes for other people’s/company’s domains. This means that the mail server often can be reached not only via mail.yourdomain.com but also via mail.theirdomain.com.

As SSL certificates usually aren’t free and updating and maintaining them for each shared account in a cost effective way is near impossible, the mail server is usually only reachable via SSL via the name of mail.yourhostingcompany.com. If you use any other name, you’ll get this security warning message.

The issue is similar for other ISPs, especially when they merge or change their infrastructure. This sometimes goes together with a name change of the mail server. They then usually redirect the old name of the mail server to the new name so you still can access your mail, but the SSL certificate of the new server no longer contains the old name. The result is that you get this warning dialog and you’ll have to update your account settings for the new server name.